Facilitate PCI Compliance. Using Tango/04 Multiplatform, Real-Time Solutions

Transcription

1 Facilitate PCI Compliance Using Tango/04 Multiplatform, Real-Time Solutions

2 Contents Contents Contents... 1 Executive Summary... 2 Introduction... 3 The Details Behind PCI DSS... 4 Background... 4 Compliance vs. Validation... 5 Recent Incentives and Penalties Announced by Visa... 5 PCI DSS Requirements... 7 Compliance Benefits... 8 Achieving PCI DSS Compliance... 9 Automated Tools - Continuous Monitoring and Real-Time Alerts... 9 Continuous Monitoring and Real-time Alerts... 9 Tango/04 Solutions for PCI DSS Compliance Full Operating System Level Coverage Databases, Web 2.0 Enablers and other Middleware Record-level and Field-level Database Auditing Third Party Security Products, Network Appliances and Device Integration Business Application Monitoring VISUAL Security Suite Output Business and Enterprise Views Real-time Alerts Automated Actions Compliance Reports Ease of Use Tango/04 Solutions and the PCI DSS Requirements Valid for Cross Compliance Extendability Maximize Your Return on Investment Summary Multiplatform Cross Compliance Field Proven in Different Industries Unique Extensibility Appendix A Tango/04 Security Solutions VISUAL Security Suite: List of Controls Tango/04 Solutions Offer Extensive Coverage for the System i Technology Alliances outside of IBM Professional Services Appendix B PCI DSS Requirements Mapping of Tango/04 Solutions to PCI DSS Detailed Requirements About Tango/04 Computing Group Legal notice Tango/04 Computing Group Page 1

3 Executive Summary Executive Summary The Payment Card Industry Data Security Standard pertains to any company that stores, processes or transmits credit card information. If this applies to your company, you are required to be compliant with this private industry standard today. Depending on the volume of credit card transactions you process, the task of demonstrating compliance may include an annual on-site audit conducted by an external auditor. In any case, you don t want to operate your business in a non-compliant state because the associated penalties can be severe. For instance, if a data breach occurs while you are noncompliant, you can be fined up to $500,000 per incident and suffer revocation of your right to accept or process credit card transactions. This could certainly be fatal to your business. So let s agree that noncompliance is not an option. In that case, how do you begin to put together a strategy that will help you meet the robust requirements of PCI DSS year after year? It s clear that a sustainable compliance plan must include the use of automated software technology. As a result, this paper includes a description of VISUAL Security Suite, the Tango/04 multiplatform, real-time security solution for achieving compliance with various regulations and industry standards. We explain how the product can successfully be used in your efforts to meet PCI requirements to protect your credit card data assets while actually reducing overall compliance costs. For a number of years, the Tango/04 security solution has been used by many companies world-wide to facilitate sustainable compliance with various regulations. Our technology is field proven and has been adopted by 7 of the 18 largest banks in the world to facilitate their security strategies. "Tango/04 software certainly simplifies our auditing process. Tango/04 pre-sale activities, post-sale implementation and support services exceeded our expectations. The Tango/04 employees are intelligent, helpful, funny, patient and honest. The training they provided was outstanding" David Dresdow, Team Leader JD Edwards System Administration Stora Enso In fact, Stora Enso Inc. a multi-billion dollar integrated paper, packaging and forest products company with multiple locations in the US and across the globe is just one of our customers using Tango/04 software to ease their auditing procedures. Other well known companies using Tango/04 products include BankBoston, CocaCola, Pfizer, Shell, Office Depot and Nike. Please visit our website at to view testimonials from satisfied customers and to learn more about our Security and integrated Business Service Management solutions Tango/04 Computing Group Page 2

4 Introduction Introduction If your organization stores, processes or transmits credit card information, you are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). Depending on the number of transactions you process, you may also be required to demonstrate compliance through an annual on site audit and validation process. The good news about the PCI DSS requirements is that they are explicit and well defined, unlike some regulations such as Sarbanes-Oxley (SOX) and the associated COBIT control objectives. Simply understanding the control objectives of SOX can be difficult because they are vague in many areas and wide open to interpretation. Despite the direct nature of PCI DSS however, the associated requirements are very rigorous and can be quite challenging for many organizations. Some of the specific challenges to PCI compliance include the tracking and monitoring of access to all networks and systems containing cardholder information, encryption of cardholder data, authentication of users who access systems with credit card data and the installation and maintenance of firewalls. Disregarding the challenges, however, there are many benefits to compliance. Among them is the protection of consumer credit card information according to industry best practices, a significant reduction in the risk of a potential data breach, the avoidance of costs associated with a breach and the enhancement of your company s image. Conversely, the consequences of noncompliance can be financially damaging as a function of monetary penalties in addition to higher interchange rates on credit card transactions. If an actual data breach occurs due to noncompliance, the cost can be enormous as a result of imposed fines, time spent responding to and containing the breach as well as various law suits. The negative press associated with a breach can also lead to the loss of existing customers as well as new customer opportunities none of which is good for your business. In this white paper we discuss the evolution of PCI DSS primarily as a result of collaborative efforts between Visa and MasterCard, describe the requirements at hand and explain recent incentives and deadlines put forth by Visa to comply by certain dates. We also examine how the Tango/04 multiplatform, real-time security solution can be used to help you comply with PCI DSS while simultaneously increasing the efficiency of your business processes and generating a positive return on investment (ROI) Tango/04 Computing Group Page 3

5 The Details Behind PCI DSS The Details Behind PCI DSS First and foremost, PCI DSS is a multifaceted standard applicable to organizations that store, process or transmit credit card information that includes the customer s Primary Account Number (PAN). The intent of the standard is to protect consumers by offering a single approach to safeguarding sensitive data for all credit card brands. Before we get into the specifics of PCI DSS, let s step back for a moment and discuss the independent efforts of individual credit card companies that led to the evolution of this widely accepted standard. Background When customers provide their credit card information at a store, over the web, on the phone, or through the mail, they want to know that their account data is safe. In order to address this need for customer assurance, Visa created the Cardholder Information Security Program (CISP). Mandated since June 2001, CISP is intended to protect Visa cardholder data wherever it resides ensuring that members, merchants, and service providers maintain the highest information security standard. To protect their own customer information, MasterCard implemented a similar version of data security requirements called the Site Data Protection (SDP) program in Both Visa and MasterCard categorized their merchant base into 4 levels focused primarily on the annual volume of transactions processed as shown below 1. Level 1 any merchant with more than 6,000,000 overall transactions per year as well as any merchant who has already experienced an account compromise (Visa and MasterCard); Level 2 any merchant processing 1,000,000 to 6,000,000 overall transactions per year (Visa); all merchants processing 150,000 to 6,000,000 e-commerce transactions per year (MasterCard); Level 3 - any merchant processing 20,000 to 1,000,000 e-commerce transactions per year (Visa); any merchant processing 20,000 and 150,000 e-commerce transactions per year (MasterCard); Level 4 - any merchant processing less than 20,000 e-commerce transactions per year and all other merchants, regardless of acceptance channel processing less than 1,000,000 transactions per year (Visa); all other merchants (MasterCard). There are also similar levels defined for service providers or organizations that process, store or transmit cardholder data for members, merchants or other service providers. The reason for the level categories is to identify high volume processors who are subject to stricter validation requirements. The 1 It should be noted that the level definitions also include other criteria in some cases for specifics regarding Visa levels, visit For specific MasterCard levels, visit Tango/04 Computing Group Page 4

6 The Details Behind PCI DSS basic concept is that the risk of a data compromise increases proportionately with the volume of transactions processed. Over time, Visa International and MasterCard Worldwide worked together to align their individual data security programs and formed a single, industry wide standard for data security in December 2004 known as the Payment Card Industry Data Security Standard. In short order, PCI DSS proceeded to be endorsed by American Express, Discover Financial Services, and JCB (a construction and agricultural equipment manufacturing company), even though some of these companies also had their own forms of data security standards. Finally, in September 2006 the five major credit card payment networks announced the formation of an independent body called the PCI Security Standards Council. 2 Its purpose is to own, maintain and distribute information about PCI DSS to affected organizations. Advisors to the Council include representatives from well know companies such as Bank of America, Wal-Mart, Microsoft and PayPal. Compliance vs. Validation All merchants that accept credit cards as a form of payment, and all service providers involved in the processing of credit card transactions are required to be compliant with PCI DSS right now! The fundamental difference between Level 1 and lower level merchants and service providers is the amount of third-party validation that must be done to meet the certification process. Specifically, Level 1 merchants and Levels 1 and 2 service providers must undergo an on site PCI security audit on an annual basis. Levels 2, 3 and 4 merchants and Level 3 service providers must submit an annual Self- Assessment Questionnaire and do not require an on site audit. Network scans are required to be completed quarterly by all level merchants and service providers. The only exception here is for Level 4 merchants, where a quarterly Network scan is recommended but not required. So where do we stand in terms of industry compliance? According to Visa USA President and CEO John Coghlan, at year end 2006, only about 20 percent of the top 200 merchants were in compliance with the PCI standards. However, statistics from Gartner predict that by end of 2007, 75 percent of Level 1 merchants and 30 percent of Level 2 merchants will be compliant. 3 The anticipated increase in compliance may in part be fueled by the deadlines associated with incentives and fines publicized by Visa at the end of last year. Recent Incentives and Penalties Announced by Visa In December 2006, Visa announced the PCI Compliance Acceleration Program (PCI CAP), offering $20 million in financial incentives as well as new sanctions in an effort to further PCI DSS compliance. 4 In essence, PCI CAP sets a Sept. 30, 2007 deadline for compliance aimed at Level 1 merchants and a 2 To learn more about the PCI SSC, please visit their website at Tango/04 Computing Group Page 5

7 The Details Behind PCI DSS December 31, 2007 deadline for Level 2 merchants. 5 Noncompliant merchants will face monthly fines up to $25,000 and be charged higher interchange rates which are the commissions they pay on transactions. (Prior to these new penalties, merchants and service providers were only assessed monetary fines if an actual data breach occurred). Those who can validate compliance by September 30, 2008, however, may qualify for a refund of up to three months of the higher commissions, but will have to attest that they made strenuous efforts to comply by the earlier date. Visa has also stated that it will reward acquiring banks whose members are fully compliant by September 30, 2007 and has set aside $20 million as an incentive. As of mid- August 2007, Visa had already paid out about $7 million to compliant companies. 5 PCI Compliance Deadlines Have Retailers Scrambling, SearchCIO.com, 09/13/ Tango/04 Computing Group Page 6

8 PCI DSS Requirements PCI DSS Requirements Now that we understand the evolution of PCI DSS and the importance of compliance, let s take a closer look at the requirements themselves. Specifically, version 1.1 of the PCI Data Security Standard is comprised of 12 high level requirements further broken down into just over 200 sub-requirements. These 12 high level requirements fall under 6 different principles as shown below. (Note that PCI DSS version 1.1 and all supporting documentation can be found at Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other parameters security Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security These 12 security requirements apply to all system components which are defined as any network component, server or application that is included or connected to the card holder data environment Tango/04 Computing Group Page 7

9 PCI DSS Requirements Compliance Benefits PCI DSS is of great benefit to the consumer in terms of protecting their personal information from unauthorized use or disclosure. Compliance with the standard is also good for companies because a data breach can be very costly and wreak havoc on a company s image. Beyond that, implementation of PCI DSS can actually reduce compliance costs over the long run. That s because once it s been implemented, the vigorous standard instills security best practices across the entire enterprise, which makes it easier and less expensive to meet new requirements that may be imposed in the future. The concept applies both to completely new sets of regulations and standards as well as potential revisions to PCI DSS. That being said, achieving and maintaining compliance with this comprehensive standard is not trivial and is bound to be difficult for many companies Tango/04 Computing Group Page 8

10 Achieving PCI DSS Compliance Achieving PCI DSS Compliance Similar to complying with other regulations such as Sarbanes-Oxley or HIPAA, compliance efforts are most successful when they are coordinated with business users and overall corporate objectives. Involving executive management from the very beginning facilitates corporate support, which is an essential component of a successful and ongoing compliance strategy. Implementing the controls necessary to comply with PCI DSS also creates opportunities to improve the efficiency of business processes which in turn yield increased productivity and cost savings. Another cost benefit of compliance is that it decreases the likelihood of a data breach, which can be extremely expensive. Case in point is the realization in January 2007 of a security breach that impacted the TJX Companies based in Framingham, Massachusetts and resulted in the exposure of more than 45 million credit and debit card holders over an 18 month period. As of August 2007, the breach had cost TJX more than $250 million. A large portion of the cost has been related to containing the intrusion, bolstering data security procedures and systems, notifying customers and responding to an increasing list of lawsuits. 6 Had TJX been compliant with PCI DSS early on, it s likely that the breach would not have occurred, or if it did, the exposure of consumer information would have been minimized. An important aspect of complying with PCI DSS is the implementation of continuous monitoring. You need to know, on a 24/7 basis, of any unauthorized attempts to access your critical files. That leads us to the concept of automated software technology. Automated Tools - Continuous Monitoring and Real-Time Alerts PCI DSS Requirement 10, Regularly Monitor and Test Networks, consists of seven first level subrequirements. In particular, sub-requirement 10.2 calls for the implementation of automated audit trails for all system components in order to reconstruct specific events. It couldn t be more clear to satisfy this condition, companies need to utilize automated software technology. Although technology solutions in the form of automated software tools do require an up-front investment, they generally render a positive ROI. Beyond that, automated tools also provide consistent, accurate and reliable monitoring and reporting something you ll need to demonstrate compliance to an outside auditor. Continuous Monitoring and Real-time Alerts A major advantage of automated software tools is their ability to run 24/7, constantly keeping watch over your implemented PCI DSS security plan and critical data assets. Continuous monitoring is a vital component of a sustainable compliance plan. We recommend that you only consider automated tools that have the capacity to send alerts to you in real-time when a suspicious security event takes place. Real-time warnings are invaluable to your business because they allow you to minimize risk exposure and attend to security incidents as they occur. Once again, consider the TJX data breach that spanned an 18 month period. Had continuous 6 Cost of Data Breach at TJX Soars to $256m, Ross Kerber, The Boston Globe, August 15, Tango/04 Computing Group Page 9

11 Achieving PCI DSS Compliance monitoring and real-time alerts been in place, the company would have known the instant the first unauthorized data access event occurred and been able to immediately respond with defensive actions. Continuous auditing is a major trend and since real-time alerting is technologically available today, there s no reason not to know about a potentially serious security issue before it s too late. In the next section we examine the Tango/04 toolset that is currently in use by many companies worldwide in support of their compliance strategies Tango/04 Computing Group Page 10

12 Tango/04 Solutions for PCI DSS Compliance Tango/04 Solutions for PCI DSS Compliance The Tango/04 Computing Group 7 is a leading developer of Security and Infrastructure Monitoring, Reporting and Business Service Management solutions. Its VISUAL Security Suite is a multiplatform security solution that can easily become a part of your automated processes for achieving sustainable PCI DSS compliance. As shown in Figure 1 below, VISUAL Security Suite receives audit information from various sources within your enterprise. Figure 1 Overview of VISUAL Security Suite Conducive with PCI DSS requirements, its monitoring engine offers agents for your different platforms, network components, applications, logs and databases. In many cases, the monitors can run remotely (agentless), reducing deployment time and avoiding interference with other applications. In addition, each monitor retrieves only the information you are interested in, allowing you to filter out all irrelevant data. This powerful filtering feature minimizes the monitoring process and keeps overhead down resulting in little to no performance impact on your system. 3 For detailed information about Tango/04, its solutions and customer case studies, please go to Tango/04 Computing Group Page 11

13 Tango/04 Solutions for PCI DSS Compliance Full Operating System Level Coverage The VISUAL Security Suite agents for the System i, Windows, Unix, Linux and AIX can keep track of: Changes and access to all files and objects, including financial databases, configuration files, sensitive information, etc. Specifically, the tracking of: Deletes, copies, edits, renames, restores, and read-only access to specific data Unauthorized access attempts Authority failures, such as: Persistent failed sign on attempts Object access denials System configuration changes, such as: Creation and modification of user profiles System value changes Command use, so you can: Watch suspicious users Monitor use of sensitive commands. We have a library of standard controls you can leverage based on our experience with many different types of industries and security projects. However, new, custom checks can easily be added. For instance, system access times may be well defined at your company, and it is simple to define the time during the day when a login attempt (even if it is allowed by the operating system) should be considered suspicious. Other controls can be less direct, but equally important. For example, unusually increased storage occupation or bandwidth consumption can be a symptom of a suspicious activity (such as a virus sending out spam from a compromised workstation). Because VISUAL Security Suite allows you to monitor several performance indicators in addition to traditional security events, you can define a comprehensive list of controls. Please refer to Appendix A for a list of common controls per platform. Databases, Web 2.0 Enablers and other Middleware VISUAL Security Suite can extract information and continuously audit several databases and middleware such as Web Application Servers, including the IBM WebSphere Application Server. Platform-specific controls can be set. Log files can be scrapped, formatted, and correlated in real time from several sources. Different adapters (WMI, JMX, SNMP, syslogs, text files, message queues, etc.) are also available to maximize the integration capabilities Tango/04 Computing Group Page 12

14 Tango/04 Solutions for PCI DSS Compliance Record-level and Field-level Database Auditing The Data Monitor module captures all Changes, Inserts, Deletions and Reads to files you specify so you know Who, What, When and How. This is exactly the level of detail you need to help you comply with PCI DSS requirements 10.2 (Implement automated audit trails for all system components to reconstruct events) and 10.3 (Record specified audit trail entries - such as user identification, type of event and date and time of event for all system components for each event). Specifically, Data Monitor provides you with record-level audit data for each transaction including: Type of event such as update, insert, delete or read Before and after image of record changed, clearly indicating the changed fields User that made the change (including the real user in application transactions) Timestamp Context data and platform specific information (such as the name of the application for SQL Server and library/program for DB2 on the System i). With this level of visibility, you re able to keep all users (including database administrators and privileged users) under control by tracking every action to your sensitive files. As the control is done at the database level, it doesn t matter where the change came from or which tool had been used to make the change. In addition, the before and after images of record changes allow you to revert a change back to its original value when necessary. Third Party Security Products, Network Appliances and Device Integration VISUAL Security Suite can monitor, correlate, inspect and immediately alert you of any log file, regardless of where it resides and the application that has produced it. In addition, it is easy to centralize the control of all disperse information, effectively monitoring the activity of network devices such as routers, switches, firewalls, and so on. Third party applications such as Intrusion Detection/Prevention Systems, antivirus products, vulnerability scanners, Virtual Private Networking (VPN), and the like, can also be easily integrated. Business Application Monitoring One area where most security products fail is the ability to extract relevant security information from different business applications. Home grown applications are particularly difficult for most products. However, as your level of maturity increases, there is a strong need to go from basic audit controls on operating systems and equipment to business-level controls. VISUAL Security Suite can help you to automate the control of your existing applications. It includes a universal log reader (Applications Agent) which can read virtually any log at blazing speed. By using advanced BNF (Backus Normal Form) grammar definitions that can be created and modified easily, integration of practically any application events can be done in real time. In other cases, instead of text files, application security logs and events are stored in data tables, which can easily be integrated with the VISUAL Security Suite Data Adapter. When more complex business-level controls are required (such as changes to dormant accounts in banks, excessively discounted sales, or other domain specific checks) Data Monitor can be a perfect tool to inspect every single one of millions of transactions in real time. Integrity checks can be placed to 2007 Tango/04 Computing Group Page 13

15 Tango/04 Solutions for PCI DSS Compliance make sure no unauthorized changes are done from outside the applications, bypassing the applications integrity controls. Examples of business applications that can be monitored with VISUAL Security Suite include SAP R/3, Siebel, JD Edwards, SWIFT, legacy (RPG/COBOL), and practically any custom application running in any environment, from mainframes to standalone desktop workstations. Modern Java applications can also be monitored by using JMX (Java Management Extension) technology. The information presented in this section is merely a subset of the kind of audit data you can collect with VISUAL Security Suite. Please refer to Appendix A for a more complete listing by platform. VISUAL Security Suite Output Once the audit information you specify has been collected, it can be accessed and presented to you in a variety of ways: Business and Enterprise views Real-time alerts Automated actions Reports Let s examine each one of these output mechanisms. Business and Enterprise Views One of the key features of VISUAL Security Suite is that it allows you to centrally manage your security paradigm by consolidating events across all platforms in a single view. This is accomplished using the VISUAL Security Suite SmartConsole, shown below in Figure 2. Figure 2 The SmartConsole 2007 Tango/04 Computing Group Page 14

16 Tango/04 Solutions for PCI DSS Compliance Within the SmartConsole, the left most pane contains your business view as a series of hierarchical folders that are color coded to quickly draw your attention to important events. Although a default security configuration is shipped with VISUAL Security Suite, you are free to customize this view to best fit your corporate needs. Note that the folders under the iseries and Windows Security branches are green, indicating no imminent issues. However, there is a problem with the Infrastructure node as indicated by the red folder. Expanding any of the folders and then double clicking on the problem node will reveal underlying messages pertaining to the issue. These related messages contain detailed information about the problem and many soft-coded variables that can be passed to messages sent via or to your cell phone. The uppermost right pane in Figure 2 summarizes your business services and the pane below it identifies the most probable root cause of the failure. Although this figure shows both security and infrastructure configurations, you can install the security portion alone and either grow into infrastructure monitoring at a later date or continue to use whatever infrastructure monitoring you may already have in place. In addition to business views, security information can also be presented in an enterprise view or dashboard accessible through the web. Enterprise views can be especially useful for CISO s who need a high level glimpse of current security status but not the underlying details provided by the SmartConsole. Figure 3 below presents a sample enterprise view of a sample compliance scenario. Figure 3 Sample Enterprise View of a Compliance Scenario 2007 Tango/04 Computing Group Page 15